Community

Post

Authentication "architecture" questions

I am trying to figure out how to architect the authentication part of my Podio integration app. My app will need to:

Allow a user to access a particular app ITEM which we will get by sending the URL of the app ITEM to our app and then getting the spaceID and appID and itemID from that URL. Each user could be trying to access any app ITEM he has access to.

What type of authentication do we need to do for this and how do we store the authentication ids so this user doesn't have to re-authenticate every time. We will also need to store some info on this user, such that we can do #2 below.

In this case the trigger will be an inbound email to our mail server- there will be no user intervention. Our app will detect the inbound email and will take the email and append it as a comment to an existing app item in the same APP that we connected to in #1 above.

How do we authenticate in this case?

I am thinking I need to use "Server Side Flow" Authentication which will give me an access token and refresh token for EACH user (I was originally thinking I could do this one time for all the users within an organization) and I should be able to use this for #1 and #2?

15 comments

0

BTW, in the case of #1 we would want to add a comment to the app ITEM in the name of the user using this funciton.

In the case of #2, the incoming email should not be attributed to any user, but to our app. In other words, we just need access to add or comment on existing ITEMS in that app the user already gave us access to in #1.

Great thanks Casper... one other question that will help solidfy things for me about Podio authentication...

What if I only had #2 as my app requirement... where there is never directly a user involved... I just want my web app to be able to take incoming emails and add them to an app as new items... how would I do that authentication?

And how would I handle it if I wanted you to use my app to send in emails into your app (without knowing your orgid, spaceid, beforehand?

When no user is directly involved in the interaction with the Podio API, we recommend using app authentication.

However, you can only use app auth for apps that you are the administrator of. While you could ask users to locate and provide your app with the id and access token for their apps, we would not recommend going that way, both for security and usability reasons.

If you want to be able to interact with anyones app, you have to use the server side auth flow. After that, you would have to list the user's orgs, spaces and apps and let the user select the app. Then you would have both the access tokens and ids needed.

Take an incoming email to our email server and create an App Item in a random App that we have an appID for. (It may be one that I don't have any personal access to).

#1. The Item Api only lists "App Authentication" as a form of auth for that API, no Server Side Flow... so Question #1 - is App Auth my only choice in this case?

#2. I don't understand who App Auth works... does anyone who has access to (or guesses) my AppID have access to create a new item via the API using App Auth? That is great if so because it will make our app work fine, but seems like a pretty big security hole?

#1 Authenticating as a user (server side flow, password flow) is always possible. We don't list it because it's always available. We show App Authentication for each API operation because it's only available for select ones.

#2 The app token is a secret and should be treated as such. Think of it as a *limited* password to your app (it can only create items and act on items it has permission to change e.g. items it created itself). There's no security issue. The app token is significantly harder to guess than your Podio password (unless you have an extremely long Podio password). Just don't make it public -- in the same way you wouldn't hand your Podio password to a stranger.

Thanks Andreas! But the app token is provided by Podio during the App Auth post, correct? What stops some random company who is using the API from gaining access to create an item in my App without my permission?

One last question... if we use server side flow to authenticate? Can we then query to get that app token that we can then use later for App Authentication? Or does some user HAVE to give us that token?